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Abstract. We study the reachability problem for communicating timed 
processes, both in discrete and dense time. Our model comprises au- 
tomata with local timing constraints communicating over unbounded 
FIFO channels. Each automaton can only access its set of local clocks; 
all clocks evolve at the same rate. Our main contribution is a complete 
characterization of decidable and undecidable communication topologies, 
for both discrete and dense time. We also obtain complexity results, by 
showing that communicating timed processes are at least as hard as Petri 
nets; in the discrete time, we also show equivalence with Petri nets. Our 
results follow from mutual topology-preserving reductions between timed 
automata and (untimed) counter automata. 



1 Introduction 

Communicating automata are a fundamental model for studying concurrent pro- 
cesses exchanging messages over unbounded channels [21,11]. However, the model 
is Turing-powerful, and even basic verification questions, like reachability, are 
undecidable. To obtain decidability, various restrictions have been considered, 
including making channels unreliable [3,13] or restricting to half-duplex com- 
munication [12] (later generalized to mutex [16]). Decidability can also be ob- 
tained when restricting to executions satisfying additional restrictions, such as 
bounded context-switching [19], or bounded channels. Finally, and this is the 
restriction that we consider here, decidability is obtained by constraining the 
communication topology. For communicating finite-state machines (CFSMs), it 
is well-known that reachability is decidable if, and only if, the topology is a poly- 
forest [21,19]; in this case, considering channels of size one suffices for deciding 
reachability. 

On a parallel line of research, timed automata [8] have been extensively stud- 
ied as a finite-state model of timed behaviours. Recently, there have been several 
works bringing time into infinite-state models, including timed Petri nets [9,4], 
timed pushdown automata [2], and timed lossy channel systems [1]. In this paper, 
we study communicating timed processes [18], where a finite number of timed 
automata synchronize over the elapsing of time and communicate by exchanging 
messages over unbounded channels. Note that, when processes can synchronize, 
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runs cannot be re-ordered to have uniformly bounded channels (contrary to 
polyforest CFSMs). For example, consider two communicating processes p and 
q, where p can send to q unboundedly many messages in the first time unit, 
and q can receive messages only after the first time unit has elapsed. Clearly, all 
transmissions of p have to occur before any reception by q, which excludes the 
possibility of re-ordering the run into another one with bounded channels. 

We significantly extend the results of [18], by giving a complete characteriza- 
tion of the decidability border of reachability properties w.r.t. the communication 
topology. Quite surprisingly, we show that despite synchronization increases the 
expressive power of CFSMs, the undecidability results of [18] are not due to just 
synchronous time, but to an additional synchronization facility called urgency 
(cf. below). Our study comprises both dense and discrete time. 

Dense time: Communicating timed automata. Our main result is a complete 
characterization of the decidability frontier for communicating timed automata: 
We show that reachability is decidable if, and only if, the communication topol- 
ogy is a polyforest. Thus, adding time does not change the decidability frontier 
w.r.t. CFSMs. However, the complexity worsens: From our results it follows that 
communicating timed automata are at least as hard as Petri nets. 3 

Our decidability results generalize those of [18] over the standard semantics 
for communicating automata. In the same work, also undecidability results are 
presented. However, they rely on an alternative urgent semantics, where, if a 
message can be received, then all internal actions are disabled: This provides an 
extra means of synchronization, which makes already the very simple topology 
p — q — » r undecidable [18]. We show that, without urgency, this topology 
remains decidable. 

Here, we do not consider urgency directly, but we rather model it by in- 
troducing an additional emptiness test operation on channels on the side of the 
receiver. This allows us to discuss topologies where emptiness tests (i.e., urgency) 
are restricted to certain components. We show that, with emptiness tests, not 
only the topology p — » q — > r is undecidable, as in [18], but also p — » q <— r and 
p q — » r. Thus, we complete the undecidability picture for dense time. 

All our results for dense time follow from a mutual, topology-preserving re- 
duction to a discrete-time model (discussed below). Over polyforest topologies, 
we reduce from dense to discrete time when no channel can be tested for empti- 
ness. Over arbitrary topologies, we reduce from discrete to dense time, even in 
the presence of emptiness tests. While the latter is immediate, the former is 
obtained via a Rescheduling Lemma for dense-time timed automata which is in- 
teresting on its own, allowing us to schedule processes in fixed time-slots where 
senders are always executed before receivers. 

Discrete time: Communicating tick automata. We provide a detailed analysis 
of communication in the discrete-time model, where actions can only happen 

3 And probably exponentially worse, due to a blow-up when translating from dense 
to discrete time. 
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at integer time points. As a model of discrete time, we consider communicating 
tick automata, where the flow of time is represented by an explicit tick action: 
A process evolves from one time unit to the next by performing a tick action, 
forcing all the other processes to perform a tick as well; all the other actions are 
asynchronous. This model of discrete-time is called tick automata in [15], which 
is related to the fictitious-time model of [8]. 

We provide a complete characterization of decidable and undecidable topolo- 
gies for communicating tick automata: We show that reachability is decidable 
if, and only if, the topology is a polyforest (like for CFSMs), and, additionally, 
each weakly-connected component can test at most one channel for emptiness. 
Our results follow from topology-preserving mutual reductions between commu- 
nicating tick automata and counter automata. As a consequence of the structure 
of our reductions, we show that channels and counters are mutually expressible, 
and similarly for emptiness tests and zero tests. This allows us to also obtain 
complexity results for communicating tick automata: We show that reachability 
in a system of communicating tick automata over a weakly-connected topology 
has the same complexity as reachability in Petri nets. 4 

Related work. Apart from [18], communication in a dense-time scenario has also 
been studied in [14,7,5]. In particular, [14] proposes timed message sequence 
charts as the semantics of communicating timed automata, and studies the 
scenario matching problem where timing constraints can be specified on local 
processes, later extended to also include send/receive pairs [7]. Communicating 
event-clock automata, a strict subclass of timed automata, are studied in [5] 
where, instead of considering the decidability frontier w.r.t. the communication 
topology, it is shown, among other results, that reachability is decidable for arbi- 
trary topologies over existentially-bounded channels. A crucial difference w.r.t. 
our work is that we do not put any restriction on the channels, and we con- 
sider full timed automata. In a distributed setting, the model of global time we 
have chosen is not the only possible. In particular, [6] studies decidability of net- 
works of (non-communicating) timed asynchronous automata in an alternative 
setting where each automaton has a local drift w.r.t. global time. In the discrete- 
time setting, we mention the work [17], which generalizes communicating tick 
automata to a loosely synchronous setting, where local times, though different, 
can differ at most by a given bound. While [17] shows decidability for a restricted 
two-processes topology, we characterize decidability for arbitrary topologies. 

Outline. In Sec. 2 we introduce general notation; in particular, we define com- 
municating timed processes, which allow us to uniformly model communication 
in both the discrete and dense time. In Sec. 3 we study the decidability and 
complexity for communicating tick automata (discrete time), while in Sec. 4 we 
deal with communicating timed automata (dense time). Finally, Sec. 5 ends the 
paper with future work. Full proofs are given in the appendix. 

4 The latter problem is known to be EXPSPACE-hard [20], and finding an upper 
bound is a long-standing open problem. 
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2 Communicating Timed Processes 

A labeled transition system (LTS for short) is a tuple A — (S,Si,Sf,A,—±) 
where S is a set of states with initial states Si C S and final states Sf S, A is 
a set of actions, and -> C SxAx^isa labeled transition relation. For simplicity, 
we write s s' in place of (s, a, s') E — h A paf/i in „4 is an alternating sequence 
7r = so, Oi, si, . . . , a n , s n of states Si & S and actions Oi E A such that Sj_i s^ 
for alH S {1, . . . , n}. We abuse notation and shortly denote it by so ai °"> s„. 
The word ai • ■ • a„ £ A* is called the trace of 7r. A ran is a path starting in an 
initial state (so E Si) and ending in a final state (s„ e Sp). 

We consider systems that are composed of several processes interacting with 
each other in two ways. Firstly, they implicitly synchronize over the passing of 
time. Secondly, they explicitly communicate through the asynchronous exchange 
of messages. For the first point, we represent delays by actions in a given delay 
domain D. Typically, the delay domain is a set of non-negative numbers when 
time is modeled quantitatively, or a finite set of abstract delays when time is 
modeled qualitatively. Formally, a timed process over ED is a labeled transition 
system A = (S,Si,Sf,A,^) such that A D B. Actions in A are either syn- 
chronous delay actions in IB), or asynchronous actions in A \ U). 

For the second point, we introduce fifo channels between processes. Formally, 
a communication topology is a triple P — (P, C, E) where (P, C) is a directed 
graph comprising a finite set P of processes and a set of communication channels 
C C P x P, and, additionally, EEC contains those channels that can be tested 
for emptiness. Thus, a channel c E C is a pair (p, q), with the intended meaning 
that process p can send messages to process q. For a process p, let C\p] = 
{l I (PtQ) € C} be its set of outgoing channels, and let C _1 [p] = {q | (q,p) E 
C} be its set of incoming channels. Processes may send messages to outgoing 
channels, receive messages from incoming channels, as well as test emptiness 
of incoming channels (for testable channels). Formally, given a finite set M of 
messages, the set of possible communication actions for process p is A^. om = 
{dm | c E C\p],m E M}u{c?m \ c E C^lp^m E M}U{c==e | c E EnC^ 1 ^}}. 
The set of all communication actions is A com = {J peP ^ om . While send actions 
(c!m) and receive actions (c?m) are customary, we introduce the extra test action 
(c==e) to model the urgent semantics of [18] (cf. Appendix A.l). 

Definition 1. A system of communicating timed processes is a tuple S = 
(T, M, ED, (A p )pi=p) where T = (P, C, E) is a topology, M is a finite set of mes- 
sages, D is a delay domain, and, for each p E P, A p — (S p , Sj , S F , A p , — > p ) is 
a timed process over B such that A p D A com = A p om . Actions not in (D U j4 com ) 
are called internal actions. 

States s p E S p are called local states of p, while a global state is a tuple of 
local states in JlpeP $ P - We give the semantics of a system of communicating 
timed processes in terms of a global labeled transition system. The contents of 
each channel is represented as a finite word over the alphabet M. Processes move 
asynchronously, except for delay actions that occur simultaneously. Formally, the 
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semantics of a system of communicating timed processes S = (T, M, O, (A p ) p <zp) 
is the labeled transition system [<S] = (S, Si, Sf, A, ->) where S = (JJ peP S p ) x 
(M*) c , S! = (U peP Si) x {Xc.e}, S F = (U pe pS P F ) x {Xc.e}, A = [j peP A p , 
and there is a transition {si,w\) (82,102) under the following restrictions: 

- if a e D, then a* sf for all p e P, 

— if a ^ U>, then — ^> s p for some p £ P, and = s| for all q 6 P \ {p} 

• if a = dm, then 102(c) = wi(c) -m and 102(d) = wi(d) for all (i G C\{c}, 

• if a = c?m, then m- 102(c) = u>i(c) and 102(d) = wi(d) for all 6 C\{c}, 

• if a — (c==e), then Wi(c) = e and 101 = W2, and 

• if a £ A com , then w± = 102- 

To prevent confusion, states of [<S] will be called configurations in the remainder 
of the paper. Given a path tt in [<S], its projection to process p is the path ir\ p in 
A p obtained by projecting each transition of tt to process p in the natural way. 

The reachability problem asks, given a system of communicating timed pro- 
cesses S, whether there exists a run in its semantics [<SJ. Note that we require all 
channels to be empty at the end of a run, which simplifies our constructions later 
by guaranteeing that every sent message is eventually received. (This is w.l.o.g. 
since reachability and control-state reachability are easily inter-reducible.) Two 
systems of communicating timed processes S and S' are said to be equivalent if 
IS} has a run if and only if [5'] has a run. 

Definition 2. A system of communicating tick automata is a system of com- 
municating timed processes S = (T, M, D, (A p ) p e p) such that D = {r} and each 
A p is a tick automaton, i.e., a timed process over D with finitely many states 
and actions. 

Thus, tick automata communicate with actions in A com and, additionally, syn- 
chronize over the tick action r. This global synchronization makes communi- 
cating tick automata more expressive than CFSMs, in the sense that ticks can 
forbid re-orderings of communication actions that are legitimate without ticks 
(see Appendix A. 2). Notice that there is only one tick symbol in D: With two 
different ticks, reachability is already undecidable for the one channel topology 
p — > q without emptiness test (see Appendix A. 3). 

3 Decidability of communicating tick automata 

In this section, we study decidability and complexity of communicating tick au- 
tomata. Our main technical tool consists of mutual reductions to/from counter 
automata, showing that, in the presence of tick actions, 1) each channel is equiv- 
alent to a counter, and 2) each emptiness test on a channel is equivalent to a 
zero test on the corresponding counter. This allows us to derive a complete char- 
acterization of decidable topologies, and also complexity results. We begin by 
defining communicating counter automata. 
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Communicating counter automata. A counter automaton is a classical Minsky 
machine C — (L, Lj,Lp,A,X,A) with finitely many locations L, initial locations 
Lj C L, final locations Lp C L, alphabet of actions A, finitely many counters 
in X, and transition rules A C L x A x L. Operations on a counter x € X are 
x++ (increment), x — (decrement) and x==0 (zero test). Let Op(X) be the set 
of operations over counters in X. We require that A D Op(X). As usual, the 
semantics is given as a labelled transition system [CJ = (S, Si, Sf,A, — >•) where 
S = L x N x , Si = Li x {Ax.O}, Sf = L F * {Xx.O}, and the transition relation 
— > is defined as usual. Notice that acceptance is with zero counters. 

A system of communicating counter automata is a system of communicating 
timed processes S = {T , M,0,{lC p J) peP ) such that D = and each C p is a 
counter automaton. By Definition 1, this entails that each counter automaton 
performs communicating actions in A p com . Moreover, since the delay domain is 
empty, they can only interact through the asynchronous exchange of messages. 

From tick automata to counter automata. Let S be a system of communicating 
tick automata over an arbitrary (i.e., possibly cyclic) weakly-connected 5 topol- 
ogy. We build an equivalent system of communicating counter automata S' over 
the same topology. Processes in S' are completely asynchronous, i.e., with empty 
delay domain. 

Intuitively, we implement synchronization on the delay action r in S by com- 
munication in S' . We introduce a new type of message, also called r, which is 
sent in broadcast by all processes in S' each time there is a synchronizing tick 
action in S. Since communication is by its nature asynchronous, we allow the 
sender and the receiver to be momentarily desynchronized during the computa- 
tion. However, we restrict the desynchronization to be asymmetric: The receiver 
is allowed to be "ahead" of the sender (w.r.t. number of ticks performed), but 
never the other way around. This ensures causality between transmissions and 
receptions, by forbidding that a message is received before it is sent. 

To keep track of the exact amount of desynchronization between sender and 
receiver (as a difference in number of ticks), we introduce counters in S': We 
endow each process p with a non- negative counter x p for each channel c E C _1 [p] 
from which p is allowed to receive. The value of counter x p measures the difference 
in number of ticks r between p and the corresponding sender along c. Whenever 
a process p performs a synchronizing tick action r in S, in S' it sends a message 
r in broadcast onto all outgoing channels; at the same time, all its counters x p 
are incremented, recording that p, as a receiver process, is one more step ahead 
of its corresponding senders. When one such r-message is received by a process 
q in S' along channel c, the corresponding counter x q c is decremented; similarly, 
this records that the sender process along c is getting one step closer to the 
receiver process q. The topology needs to be weakly-connected for the correct 
propagation of r's. 



5 A topology T is weakly- connected if, for every two processes, there is an undirected 
path between them. 



Reachability of Communicating Timed Processes 



7 



While proper ordering of receptions and transmissions is ensured by non- 
negativeness of counters, testing emptiness of the channel is more difficult: In 
fact, a receiver, which in general is ahead of the sender, might see the channel as 
empty at one point (thus the test is positive), but then the sender might later 
(i.e., after performing some tick) send some message, and the earlier test should 
actually have failed (false positive). We avoid this difficulty by enforcing that 
the receiver q is synchronized with the corresponding sender along channel c on 
emptiness tests, by adding to the test action c==e by q a zero test x-?==0. 

Formally, let S = (T,M,B, (A p ) pe p) with D = {t} be a system of com- 
municating tick automata over topology T = (P, C, E) , where, for each p£P, 
A p = (L P ,L P ,L P F ,A P ,^ P ) is a tick automaton, i.e., r G A p . We define the 
system of communicating counter automata S' = (T, M' , W, ([C p ]])pep), over 
the same topology T as S, s.t. M' — M U {r}, W = 0, and, for every pro- 
cess p G P, we have a counter automaton C p , which is defined as follows: 
C p = (L p , L p j, L P F , BP, V, A p ), i.e., control locations L p in C p are the same as lo- 
cations in the corresponding tick automaton AP (and also initial/final locations), 
and counters are those in X p = {x p \ c G C _1 [p]}. For simplifying the definition of 
transitions, we allow sequences of actions instead of just one action — these can be 
clearly implemented by introducing more intermediate states. Thus, transitions 
in C p are defined as follows: 

— Let I £' be a transition in AP , and assume that outgoing channels of 
p are those in C[p] = {cq, ■ ■ ■ , Ch}, and that counters in X p are those in 
{xq, ■ ■ ■ , Xk}- Then, I c °- T <---' Ch - T ' Xa — '•••' Xfc — > g> - m a transition in C p . 

c?t:x p — 

— For every I G L p and input channel c G C~ \p] , there is a transition £ ' — > 
I in CP. 

— If £ c "~ £ > £' is a transition in A p , then £ — — - — U £' is a transition in C p . 

— Every other transition £ A £' in A p is also a transition in C p . 

The action alphabet of C p is thus B p = (A p \{t})U{c1t | c G C" 1 [p]}U{c!r | c G 
C[p]}; in particular, r is no longer an action, but a message that can be sent and 
received. We show that S and S' are equivalent, obtaining the following result. 

Proposition 1. Let T be a weakly- connected topology with a channels, of which 
(3 can be tested for emptiness. For every system of communicating tick automata 
S with topology T , we can produce, in linear time, an equivalent system of com- 
municating counter automata S' with the same topology T , containing a coun- 
ters, of which (3 can be tested for zero. 

While the proposition above holds for arbitrary weakly-connected topologies, 
it yields counter automata with channels, which are undecidable in general. To 
avoid undecidability due to communication, we need to forbid cycles (either di- 
rected or undirected) in the topology. It has been shown that, on polytrees 6 , 
runs of communicating processes (even infinite-state) can be rescheduled as to 



A polytree is a weakly-connected graph with neither directed, nor undirected cycles. 
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Fig. 1: Simulation of a counter automaton by a system of communicating tick 
automata: Tick automata for tj (left) and (right), Topology (middle). 

satisfy the so-called eagerness requirement, where each transmission is immedi- 
ately followed by the matching reception [16]. Their argument holds also in the 
presence of emptiness tests, since an eager run cannot disable c==e transitions 
(eager runs can only make the channels empty more often). Thus, by restricting 
to eager runs, communication behaves just as a rendezvous synchronization, and 
we obtain a global counter automaton by taking the product of all component 
counter automata. 

Theorem 1. For every poly tree topology T with a channels, of which (3 can be 
tested for emptiness, the reachability problem for systems of communicating tick 
automata with topology T is reducible, in linear time, to the reachability problem 
for products of (non-communicating) counter automata, with overall a counters, 
of which (3 can be tested for zero. 

From counter automata to tick automata. We reduce the reachability problem for 
(non-communicating) counter automata to the reachability problem for systems 
of communicating tick automata with star topology. Formally, a topology T = 
(P, C, E) is called a star topology if there exist two disjoint subsets Q, R of P and 
a process p in P\ (QUR) such that P = {p}{jQUR and C = (Rx {p})U({p} x Q). 
The idea is to simulate each counter with a separate channel, thus the number 
of counters fixes the number of channels in T. However, our reduction is uniform 
in the sense that it works independently of the exact arrangement of channels 
in T, which we take not to be under our control. W.l.o.g., we consider counter 
automata where all actions are counter operations (i.e., A C L x Op(X) x L). 

For the remainder of this section, we consider an arbitrary star topology 7~ = 
(P, C, E) with set of processes P = {p, q 1 , . . . , q m , ri, . . . , r„}, where m, n 6 N, 
and set of channels C = {p} x {q 1 , . . . , q m } U {ri, . . . , r„} x {p} and E = C. 
This topology is depicted in Figure 1 (middle). Note that we allow the limit cases 
m = and n = 0. To simplify the presentation, we introduce shorter notations 
for the channels of this topology: we define Cj — (p, qj and dj = (rj,p) for every 
i G {1, . . . , m} and j e {1, . . . , n}. 

Let C = (L,Li,Lp,XUY,A) be a counter automaton with m + n counters, 
namely X = {x\, . . . , x TO } and Y — {y 1; . . . , y n }. The counters are split into X 
and Y to reflect the star topology 7", which is a priori given. We build, from C, an 
equivalent system of communicating tick automata S with topology T ■ Basically, 
the process p simulates the control-flow graph of the counter automaton, and the 
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counters Xj and are simulated by the channels c j and dj , respectively. In order 
to define S, we need to provide its message alphabet and its tick automata, one 
for each process p in P. The message alphabet is M = {wait, test}. Actions 
performed by processes in P are either communication actions or the delay 
action r. Processes rj's are assigned the tick automaton of Figure 1 (left), and 
processes q/s are assigned the tick automaton of Figure 1 (right). Intuitively, 
communications on wait messages are loosely synchronized using the r actions 
in q i and r j , so that p can control the rate of their reception and transmission. 

We now present the tick automaton A? . As mentioned above, the control-flow 
graph of C is preserved by A?, so we only need to translate counter operations 
of C by communication actions and r actions. Each counter operation of C is 
simulated by a finite sequence of actions in S v . To simplify the presentation, 
we directly label transitions of AP by words in (E p )*. The encoding of counter 
operations is given by the mapping 77 from Op(XliY) to (S p )* defined as follows: 

rj(xi++) = Cilwait ^(x,— ) = (c /l !wait)i</ l < TO; / l ^ • r • (d fe ?wait)i< fc <„ 

V(jj—) = dj?wait v(y 3 ++ ) = (c/,!wait)i</ l < m • r • (d fe ?wait)i<fc<„ ;fe7 y 

?y(xj==0) = cutest v{jj ==Q ) = ( d j ==e) ■ (dj?test) 

where i 6 {1, . . . , m} and j £ {1, . . . , n}. We obtain AP from C by replacing each 
counter operation by its encoding. Observe that these replacements require the 
addition of a set Si of fresh intermediate states to implement sequences of ac- 
tions. Formally, A* is the tick automaton A 9 = (L U Sl,Lj,L F , S p , {I £' 
(£, op,£') e A}}. This completes the definition of the system of communicating 
tick automata S = (T, M, {r}, (A p ) p ep)- 

A formal proof that [C] has a run if and only if [<S] has a run is provided in 
Appendix C.3. Here, we only explain the main ideas behind this simulation of C 
by S. The number of wait messages in channels Cj and dj encodes the value of 
counters Xj and jj, respectively. So, incrementing Xj amounts to sending wait in 
Cj, and decrementing y . amounts to receiving wait from dj. Both actions can be 
performed by p. Decrementing Xj is more involved, since p cannot receive from 
the channel Cj. Instead, p performs a r action in order to force a r action in q i; 
hence, a receive of wait by q 4 . But all other processes also perform the r action, 
so p compensates (see the definition of r/(xi — )) in order to preserve the number 
of wait messages in the other channels. The simulation of y J ++ by ??(y J ++) is 
similar. Let us now look at zero test operations. When p simulates Xj==0, it 
simply sends test in the channel Cj. This message is eventually received by q, 
since all channels must be empty at the end of the simulation. The construction 
guarantees that the first receive action of q i after the send action cutest of p 
is the matching receive cutest. This means, in particular, that the channel is 
empty when p sends test in c^. The same device is used to simulate a zero test 
of yj, except that the roles of p and its peer (here, Tj) are reversed. Clearly, 
channels that need to be tested for emptiness are those encoding counters that 
are tested for zero. We obtain the following theorem. 

Theorem 2. Let T be an a priori given star topology with a channels, of which 
(3 can be tested for emptiness. The reachability problem for (non-communicating) 
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counter automata with a counters, of which (3 can be tested for zero, is reducible, 
in linear time, to the reachability problem for systems of communicating tick 
automata with topology T ■ 

Decidability and complexity results for communicating tick automata. Thanks to 
the mutual reductions to/from counter automata developed previously, we may 
now completely characterize which topologies (not necessarily weakly-connected) 
have a decidable reachability problem, depending on exactly which channels can 
be tested for emptiness. Intuitively, decidability still holds even in the presence 
of multiple emptiness tests, provided that each test appear in a different weakly- 
connected component. 

Theorem 3 (Decidability). Given a topology T, the reachability problem for 
systems of communicating tick automata with topology T is decidable if and only 
if T is a polyforest 7 containing at most one testable channel in each weakly- 
connected component. 

Proof. For one direction, assume that the reachability problem for systems of 
communicating tick automata with topology T is decidable. The topology T 
is necessarily a polyforest, since the reachability problem is undecidablc for 
non-polyforest topologies even without ticks [21,19]. Suppose that T contains 
a weakly-connected component with (at least) two channels that can be tested 
for emptiness. By an immediate extension of Theorem 2 to account for the undi- 
rected path between these two channels, we can reduce the reachability problem 
for two-counter automata to the reachability problem for systems of commu- 
nicating tick automata with topology T. Since the former is undecidable, each 
weakly-connected component in T contains at most one testable channel. 

For the other direction, assume that T is a polyforest with at most one 
testable channel in each weakly-connected component, and let S be a system 
of communicating tick automata with topology T. Thus, S can be decomposed 
into a disjoint union of independent systems iSo , S\ , . . . , S n , where each Sk has an 
undirected tree topology containing exactly one testable channel. But we need 
to ensure that the Sk's perform the same number of ticks. By (the construction 
leading to) Theorem 1, each Sk can be transformed into an equivalent counter 
automaton Ck (by taking the product over all processes in Sk), where exactly 
one counter, let us call it xj;, can be tested for zero. We may suppose, w.l.o.g., 
that the counters of Co,...,C n are disjoint. Moreover, Ck can maintain, in an 
extra counter y fc , the number of ticks performed by Sk ■ We compose the counter 
machines Co,...,C n sequentially, and check, at the end, that y = • • • = y n . Since 
all counters must be zero in final configurations, this check can be performed by 
adding, on the final state, a loop decrementing all the y fc 's simultaneously. The 
construction guarantees that the resulting global counter machine C is equivalent 
to S. However, C contains zero tests on many counters: xo, . . . ,x„. Fortunately, 
these counters are used one after the other, and they are zero at the beginning 
and at the end. So we may re- use x in place of xi, . . . ,x„. We only need to 

7 A topology T is a polyforest if it is a directed acyclic graph with no undirected cycle. 
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check that xo is zero when switching from Ck to Ck+i- Thus, we have reduced the 
reachability problem for systems of communicating tick automata with topology 
T to the reachability problem for counter automata with zero tests on only one 
counter. As the latter is decidable [22,10], the former is decidable, too. 

When no test is allowed, we obtain a simple characterization of the complex- 
ity for polyforest topologies. A topology T=(P,C,E) is test-free if E = %. 

Corollary 1 (Complexity). The reachability problem for systems of commu- 
nicating tick automata with test-free polyforest topologies has the same complexity 
as the reachability problem for counter automata without zero tests ( equivalently, 
Petri nets). 

Remark 1. Even though global synchronization makes communicating tick au- 
tomata more expressive than CFSMs, our characterization shows that they are 
decidable for exactly the same topologies (polyforest). However, while reacha- 
bility for CFSMs is PsPACE-complete, systems of communicating tick automata 
are equivalent to Petri nets, for which reachability is ExpSPACE-hard [20] (the 
upper bound being a long-standing open problem). 

4 Decidability of communicating timed automata 

In this section, we consider communicating timed automata, which are commu- 
nicating timed processes synchronizing over the dense delay domain B> = R>o- 
We extend the decidability results for tick automata of Section 3 to the case of 
timed automata. To this end, we present mutual, topology-preserving reductions 
between communicating tick automata and communicating timed automata. We 
first introduce the latter model. 

Communicating timed automata. A timed automaton B = (L, Li, Lp, X, S, A) 
is defined by a finite set of locations L with initial locations Li C L and final 
locations Lp C L, a finite set of clocks X, a finite alphabet £ and a finite set 
A of transitions rules (£,cr, g, R,£') where £,£' € L, a € S, the guard g is a 
conjunction of constraints for x 6 X, # e {<,<,=,>,>} and c 6 N, and 
R C X is a set of clocks to reset. 

The semantics of B is given by the timed process [B] = (S, Si, Sf, A, — >), 
where S = L x Mf , Si = Li x {Xx.O}, S F = L F x {Xx.O}, A = E U R> 

is the set of actions, and there is a transition (£, v) A (£, v') if d € M>o and 
v'(x) = v(x) + d for every clock x, and (£, v) —> {£' ,v') if there exists a rule 
(£, a, g, R, £') e A such that g is satisfied by v (defined in the natural way) and 

v'(x) = when x £ R, v'(x) — v(x) otherwise. We decorate a path (£ , u ) a °' to > 

(£i,ui) ai,tl > ■■■(a n ,u n ) in [S] with additional timestamps tj = J2{ a j I 3 = 
0, . . . , i — 1 and aj G K>o}- Note that we require cloks to be zero on accepting 
runs, which simplifies a construction later. 8 W.l.o.g. we do not consider location 

8 It can be implemented by duplicating final locations, and by resetting all clocks 
when entering the new final locations. 



12 L. Clemente, F. Herbreteau, A. Stainer, and G. Sutre 



invariants in timed automata as they can be encoded in the guards; reachability 
is preserved since acceptance with zero cloks forbids the elapse of time upon 
entering the last location of an accepting run. 

A system of communicating timed automata is a system of communicating 
timed processes S = (T, M, M>o, ([£> p ]) P ep) where each B p is a timed automa- 
ton. Note that each timed automaton has access only to its local clocks. By 
Definition 1, each timed automaton performs communicating actions in A p om 
and synchronizes with all the other processes over delay actions in K> . 



Fig. 2: From timed to tick automata: instrumentation of a timed automaton B 
with r-transitions (left), addition of t's along a run (middle) and rescheduling 
of a run (right). 

From timed automata to tick automata. On test-free acyclic topologies, we show 
a topology-preserving reduction from communicating timed to communicating 
tick automata. We insist on a reduction that only manipulates processes locally, 
thus preserving the topology. The absence of emptiness tests on the channels 
enables such a modular construction. 

Naively, one would just apply the classical region construction to each process 
[8]. However, while this preserves local reachability properties, it does not re- 
spect the global synchronization between different processes. While quantitative 
synchronization cannot be obtained by locally removing dense time, a qualitative 
synchronization suffices in our setting. We require that all processes are either 
at the same integer date k € N, or in the same open interval (k,k + 1). This 
suffices because, at integer dates (in fact, at any time-point), any interleaving 
is allowed, and, in intervals (k,k + 1), we can reschedule all processes s.t., for 
every channel c = (p, q) , all actions of p occur before all actions of q (cf. the 
Rescheduling Lemma below). The latter property ensures the causality between 
transmissions and receptions. 

Qualitative synchronization is achieved by forcing each automaton B p to per- 
form a synchronizing tick action r at each date k and at each interval (fc, k + 1). 
See Figure 2 on the left, where B p is split into two copies (B p , 0) and (B p , 1): Ac- 
tions occurring on integer dates k are performed in (B p , 0), and those in (k, k + 1) 
happen in (B p ,l). This is ensured by adding a new clock t and r-transitions 
that switch from one mode to the other. Formally, the r -instrumentation of 
B = (L, Li,Lp, X, S, A) is the timed automaton lnstr(£>, r) = (L x {0, 1}, Li x 
{1},F x {0,1}, X U {t},E U {t},A'), where t £ X and A' is defined by: 



(e , 0) a ' (gAt = 0) ^) (f , 0) and (£, 1) a ' (9A0<t<1) ^ (f , 1) for all rules f^fi 
A, and (t, 0) r ' t= °' > (£, 1) and {£, 1) T,t ^ {t} ) (£, 0) for all locations £ G L. 




t = l,r, t := 



t = 0, T 
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Finally, we obtain an equivalent system of tick automata by applying the 
exponential region construction to each instrumented process. 

Theorem 4. Let T be a test-free acyclic topology. For every system of communi- 
cating timed automata S = (T, M, M>o, (P? p ]) P ep) with topology T, we can pro- 
duce, in exponential time, an equivalent system of communicating tick automata 
S' = (T,M,{T},(A p ) p ep) over the same topology T, where the tick automaton 
A p is obtained by applying the region graph construction to lnstr(£> p , r). 

One direction of the equivalence between S and S' is immediate, since every 
run in S induces a run in S' by just inserting r actions in the right position. 
For the other direction, let p' be a run of S' , and we show how to build a 
corresponding run p of S. We have to schedule all the actions in p' on timestamps 
that are consistent with the guards in S and that preserve dependencies between 
transmissions and receptions of messages. Consider a channel c = (p, q) without 
emptiness test. If p and q are untimed processes, it is always possible to first 
schedule transmissions of p, and then receptions of q. The Rescheduling Lemma 
below ensures the same for timed processes. This is depicted in Figure 2 in the 
middle (before rescheduling) and on the right (after rescheduling) where the a's 
are emissions of p and the 6's are receptions of q. 

Lemma 1 (Rescheduling Lemma) Let B be a timed automaton, and I C 

(0, 1) an open interval. Then, every run ofB (£o,v ) ^ ■■■(£ n ,v n ) can be 
rescheduled such that integral timestamps £ N are kept the same, and non- 
integral timestamps U G (fc, fc + 1) belong to k + I . 

Intuitively, the lemma above allows us to restrict non-integer timestamps in 
(A;, fc+1) to occur in a predefined sub-interval I+k. Let us first see how this helps 
in constructing p'. To each process p, we associate an open interval I p C (0, 1), 
such that, for every channel (p, q), I p and I q are disjoint, and I p comes before 
I q . This is always possible on acyclic topologies. Then, all actions of process p 
in (k, fc + 1) are rescheduled to occur in k + I p (according to the Recheduling 
Lemma), which ensures causality between transmissions and receptions. Finally, 
the r actions added by instrumentation tell, for each action performed by process 
p in p', whether it should be scheduled at an integer date fc, or in fc + I p . 

Remark 2. We show in Appendix D.2 that our reduction is incorrect in the 
presence of emptiness tests. We also show that there are essential difficulties in 
rescheduling senders and receivers in fixed intervals, as emptiness tests introduce 
a sort of circular dependency and seem to require unboundedly many intervals. 

We now comment about the correctness of the Rescheduling Lemma (proved 
in Appendix D.l). Resets and guards in a timed automaton allow to enforce 
minimal and/or maximal delays between timestamps on a path. Since clocks are 
compared to integers only, it suffices to just distinguish between integral and 
non-integral dates. While for closed guards like x < 1 a non-integral time-point 
t 6 (0, 1) would suffice to represent all non-integral dates, to accommodate 
open guards like x < 1 we need a dense interval / C (0,1). The following 
characterization of decidable test-free topologies follows from Theorems 3 and 4. 
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Theorem 5 (Decidability) . Given a test-free topology T, the reachability prob- 
lem for systems of communicating timed automata with topology T is decidable 
if and only if T is a polyforest. 

Remark 3. While the reachability problem is known to be decidable for a system 
of two communicating timed automata with only one channel and emptiness 
test [18], that proof does not preserve the topology and it looks hardly adaptable 
to arbitrary polyforest topologies. 

From tick automata to timed automata. Given a system of communicating tick 
automata 5, we produce an equivalent system of communicating timed automata 
S', over the same topology. The synchronization on t's is easily simulated using 
clocks in S' by ensuring that all the processes elapse 1 time unit exactly when 
they (synchronously) perform a r in S. Thus, every run in S has a corresponding 
run in S' . For the converse to hold, we have to make sure that for every run of 
>S', all the processes perform the same number of r's on the corresponding run of 
S. This ensured since we require clocks to be zero at the end of accepting runs, 
thus preventing time to elapse on final locations. 

The simple topology p — > q — > r is known to be undccidable when both 
channels can be tested for emptiness [18]. Thanks to Theorem 3, we obtain 
generalized undccidability for every weakly-connected topology containing at 
least two testable channels. 

Theorem 6 (Undecidability). Given a weakly- connected topology T with two 
testable channels, the reachability problem for systems of communicating timed 
automata with topology T is undecidable. 

5 Conclusions and future work 

We have studied the decidability and complexity of communicating timed pro- 
cesses. In discrete time, we give a complete characterization of decidable topolo- 
gies with emptiness tests, as well as a tight connection with Petri nets in the test- 
free case. In dense time, we prove decidability for polyforest test-free topologies, 
and we generalize the undecidability results of [18] to arbitrary weakly-connected 
topologies containing two testable channels. We leave open whether one can ob- 
tain, in the presence of emptiness tests, the same characterization as in discrete 
time. We conjecture that this is possible, although the techniques used here do 
not seem to easily extend to deal with emptiness tests. Finally, as another di- 
rection for future work one can study richer models where processes are allowed 
to send timestamps or clocks along channels, in the spirit of [1]. 

Acknowledgements. We thank Jerome Leroux, Anca Muscholl, and Igor Walukiewicz 
for helpful discussions. 
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A On Communicating Timed Processes 
A.l Modeling urgency with emptiness test 

We show how the urgent semantics of [18] can be modelled with a test for 
empty channel. In the urgent semantics for receive actions of [18], if a message 
can be received by a process, then internal actions are disabled (while other 
communication and delay actions are still enabled). In our model, instead of 
defining a separate urgent semantics, we introduce the extra test action c==e, 
which allows us to discuss more precisely where in the topology is the urgent 
semantics (i.e., test action) used. Below, we show how to implement the urgent 
semantics of [18] with the test action. 

We need to ensure that internal actions of control states where also a receive 
action c?m is available can be executed only if m cannot be received from c. 
In turn, this can only happen iff either c is empty, or it is not empty and the 

message in front of the channel is m' ^ m. Let M(£) = {m \ I ° ?TO ) £'} be the 
set of messages that can be read from a given control location t. For the second 
condition, we modify the automaton with a standard construction to store into 
its finite control the first message m' that can be received (if any), and check that 
m M(£) before the internal action can be executed. For the first condition, in 
the case no message m' is in the local buffer, the internal action is preceded by 
a test action c==e (by introducing an intermediate state). 

A. 2 On the power of ticks 

Consider the topology with two processes q and r and a channel from q to r 
(that cannot be tested for emptiness) . Formally, this topology is the triple U = 
({q, r}, {(q, r)}, 0). It is known that every CFSM with topology U is existentially 
1-boundcd, i.e., each run can be re-ordered into a run where the channel always 
contains at most one message [21,16]. However, this property doesn't hold for 
systems of communicating tick automata. 




q » r -X>— (>- -O 




(a) Topology (b) Tick automaton for (c) Tick automaton for 

process q process r 

Fig. 3: A simple system of communicating tick automata that is not existentially- 
bounded. 



Consider the example depicted in Figure 3. Because of the global synchro- 
nization enforced by the tick action r, the first reception necessarily occurs after 
the last transmission. Hence, this example is not existentially-bounded: for every 
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bound B G N, there exists a run with no £?-boundcd re-ordering. This shows 
that systems of communicating tick automata are more expressive than CFSM. 
Alternatively, from a language viewpoint, the trace language of this example is 
{(!0)"r(?0)™ n e N}. However, no CFSM (with topology^/) has the same trace 
language (where r would be an internal action). 

A. 3 Undecidability of multi-tick automata 

One could consider a more expressive model where communicating tick au- 
tomata can synchronize over a finite set of distinct tick actions {ti,T2, . . . ,Tfc}, 
instead of just one tick r. However, in the simplest non-trivial topology T' = 
{{q, r}, {(q, r)}, 0} (no emptiness tests) with two processes q, r and a channel from 
q to r (as in Figure 4a) , reachability becomes undecidable already with k = 2 tick 
actions. In fact, a perfect channel automaton S = (({p}, {(p,p)}, 0), M, 0, {-4 P }) 
(for which reachability is undecidable [11]) can be simulated by topology T 1 
above. Without loss of generality, assume M = {0, 1}. S can be simulated by two 
communicating finite-state automata (i.e., CFSMs) S' = (T', M, D, {A q , A r }) 
over topology T' = ({q, r}, {(q, r)}, 0) as above, and where B = {r ,ri}, A r is 
shown in Figure 4b, and A q is defined as follows. Let c be the channel (q, r). 
The send actions !m of p are seamlessly performed by q as dm. Since q (unlike 
p) cannot directly read from the channel (only r can), for simulating a receive 
action ?m of p, m 6 {0, 1}, q performs the corresponding tick action r m in order 
to force process r to read the correct message m on its behalf. 

Theorem 7. Let T be a topology with at least one channel. Then, the reacha- 
bility problem for communicating multi-tick automata with at least two distinct 
tick actions and with topology T is undecidable. 



B Proofs of Section 3 

B.l From tick automata to counter automata 

For simplifying the presentation of the proof, we allow broadcast transmission 
of r-messages via actions of the form C[p]!r and global increment actions X p ++ 
on the set of counters X p . Thus, the first case in the definition of transitions in 
C p is as follows: 




(a) Topology (b) Multi-tick automaton for process r 

Fig. 4: Simulation of a perfect channel automaton by a 2 tick automaton. 
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— If £ A £' is a transition in A p , then £ c ^ ,r,x — s. f j s a transition in C p . 

Proposition 1. LetT be a weakly-connected topology with a channels, of which 
(3 can be tested for emptiness. For every system of communicating tick automata 
S with topology T, we can produce, in linear time, an equivalent system of com- 
municating counter automata S' with the same topology T, containing a coun- 
ters, of which f3 can be tested for zero. 

Proof. Given S = (T, M, {r}, {A p ) pe p), let S' = (T,MU {r}, 0, ([C]) pe p) be 
as defined in Section 3. We show that a run in S induces a run in <S', and vice 
versa. 

For the first direction, assume there exists a run tt in S. We obtain a run w' in 
S' by a simple manipulation of tt. First, all transitions in 7r different from r and 
c==e can be taken as they are in tt' . Second, if there is a r transition in tt, then 

it is replaced in S' by any interleaving of transitions in {£ C ^ ,T ' X — > £' p <= P}; 

after this sequence of transitions, control locations in tt and n' match again 

c ? r . x p — 

for each process. Moreover, the matching receive transitions £" — — > £" are 

introduced later as soon as they can be fired (control locations do not change), 
so that r messages do not get stuck in the channels preventing other non-r 
messages from being received. Notice that these transitions are enabled since 
each counter x p is incremented when the r is performed (by process p), and 
decremented when a message r sent at the same time from some other process q 
along c is subsequently received by p. Thus, the counter x p is always > when 
a r is received, and the transitions above are always enabled. Moreover, when a 
channel c = (p, q) is empty, the sender p and the receiver q have performed the 
same number of r's (since the t's are sent in contiguous blocks), and xj? is zero. 

C== s X P ==0'C==£ 

Finally, a transition £ > £' in S is translated to a transition £ — — > £' 

in <S', which can be fired since, by the observation above, x p is zero when c is 
empty. 

For the other direction, let 7r be a run in S 1 . We reorder transitions in 7r 
in order to obtain another run tx\ in S' in which processes are synchronized on 
t's. Then, tt\ is directly mapped to a run tt2 in S by replacing transitions in S' 
with the matching transitions in S. 

From 7r to m. We now explain how to translate from 7r to m. Since S' is a 
completely asynchronous system, we can view 7To as a sequence of transitions 
7To = to, t\, . . . , t n , where each transition U is fired by some process p{. Assume 
that such a transition has the form tj = (£i,Vi) — (^,^), where £i,£\ are 
locations of pi, Vi,v[ are valuations for p^s counters, and bi is an action in B Pi . 
Moreover, for each process p, let 7r | p be the projection of 7r containing only 
transitions belonging to process pi = p. The idea is to decorate transitions tj 
in ttq with an integral timestamp ki(p) > counting how many r's have been 
sent so far by process p (on any fixed channel). Formally, h(p) is the number 
of transitions tj in 7r | s.t. i < j (i.e., excluding tj itself) and bj — C[p]W. 
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Let 7Tq = (to, ko, wo), (ti, k\, w\), . . . , (t n , k n , w n ) be the decorated path, where, 
additionally, channel valuations y^'s are added recording the global contents of 
the channels before transition ti is fired. Finally, let #Tj(c) be the number of 
messages t in Wi(c). A few observations are in order: 

— At the beginning, fco(p) = for every process p. 

— For each p, the sequence ko(p), k\(p), . . . , k n (p) is non-decreasing. 

— For each channel c = (p,q), the receiver process q has received, at step i, 
ki(q) — Uj(x') > T-messages. 9 Consequently, there are #t,(c) = ki(p) — 
(ki(q) — Vi(yL%)) > r's left on channel c. When c is empty, 

k i {p) = h{q)-v i {*l) (1) 

— At the end, k n (p) = k n (q) for every processes p and g (since channels are 
empty and counters are zero). 

However, while timestamps are locally non-decreasing, they arc not necessarily 
globally non-decreasing. Having globally non-decreasing timestamps is necessary 
to show that the processes can be correctly synchronized on r's. We produce 
another run m starting from ir' , where timestamps are not only locally non- 
decreasing, but also globally non-decreasing. To do so, we show that transitions 
in 7Tq can be swapped when the timestamp decreases (necessarily along different 
processes). Formally, we swap adjacent transitions 

(ti,ki,Wi),(ti + i,ki + i,w i+ i) whenever h(pi) > k i+1 (p i+1 ) (t) 

In general, we say that a pair of transitions (U,tj) with i < j is offending iff 
h(pi) > kj(pj); we aim at a new run m with no offending transitions. Notice 
that in a path with no offending transitions, once a process broadcasts a r (by 
simulating a tick action), then it is blocked until all other processes have done 
the same. 

The difficulty in swapping offending transitions is that, in general, transi- 
tions might have dependencies between each other, and dependent transitions 
cannot be swapped. We analyse the dependencies that can theoretically arise, 
and we argue that offending transitions cannot be dependent, and thus they are 
swappable. There are three kinds of dependencies for a pair of transitions (ti, tj), 
i < j: 

1. Locality: t t and tj belong to the same process pi = pj. 

2. Send/Receive: ti is a send on a channel c and tj is the matching receive. 

3. Test/Send: U is an emptiness test hi = c==e on c, and tj is the first send 
on c since tj. Formally, bj — dm, and for every i < k < j and ml G M, 
bk dm' (thus, Wi(c) — w i+ i(c) = ■ ■ ■ =Wj(c) = e). 

We argue that offending transitions cannot be dependent, therefore we can 
swap all transitions as in (f) above. Clearly, when no more transitions can be 



9 In fact, counter tl% is incremented h(q) times, and decremented each time a r- 
message is received. 
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swapped, we have globally non-decreasing timestamps, and the swapping pro- 
cess terminates since the total number of offending pairs decreases at each step. 
Thus, let (ti, ki, to,), (t»+i, fcj+i, Wj+i) be two adjacent offending transitions, i.e., 
h(Pi) > h+iiPi+i)- We show that they are not dependent for each one of the 
cases above: 

1. Locality: Clearly, ti, ti+\ belong to different processes (pi ^ Pi+i) since times- 
tamps are locally non-decreasing. Thus, there is no locality dependency. 

2. Send/Receive: Since the transitions are offending, ki(pt) > k i+ i(p i+ i), thus 
Pi has sent more r's than Pi+i has done. By how counters are updated (being 
always non- negative) , p i+ i cannot receive more r's from pi than it has sent 
himself. Therefore, pi has sent more r's than p i+ i has received, thus there 
are r's still in the channel. Formally, #rj+i(c) > by Equation 1 (since, 
by local non-decreasingness, fcj(pj) < k i+ i{pi)). Therefore, the message sent 
from pi is not in front of the channel and cannot be received by Pi+i, and 
there is no Send/Receive dependency. 

3. Test/Send: Since U is an emptiness test bj = c==e on c, u>i(c) = iUj+i(c) = e. 
By construction, process Pi has previously checked that counter xg* is zero. 
Since the counter can only be modified by pi, ^(x^) = 0, and, since the 
counter does not change in the next step, also v i+ i(xP i ) = 0. Therefore, by 
Equation 1, k i+ i(pi + i) = k i+1 (pi). Since ki(pi) = k i+ i(pi) (no new r's have 
been performed by Pi), we get ki(pi) = fcj+i(pj+i), which is a contradiction 
since transitions are offending. Thus, there is no Test/Send dependency. 

From 7Ti to 1x2- We have thus built a non-offending sequence of iS'-transitions 
7Ti = (t' , k' Q , w' Q ), {t^, k[, w[), . . . , (t' n , k' n , w' n ). The former can be transformed 
into a sequence of iS-transitions iT2 = (eo, mo), (ei, mi), . . . , (e„, m n ) (decorated 
with channel contents m,) by discarding the timestamp annotations k\, by re- 
moving r's from channels (i.e., rrii(c) equals w-(c) without r's), and by inverting 

transition-wise the construction, as follows: For every transition t\ = (£i,Vi) — ^> 
(if, w-) in <S', we define the transition a = ti t\ in S by case analysis (we set 
a,i equal to the special symbol e when the transition is to be removed): 

— Transmitting a T-message becomes a tick action r: If hi = C[p] !r, then aj = r. 

— Receiving of r's disappears: If bi = c?t, then a, = e. 

— Counter operations disappear: If bi G Dp'(X p ) then, = e. 

— Every other action stays unchanged, i.e., aj = bi for every other 6j's. 

In particular, for tests of channel emptiness, if bi = c==e, then a, = c==e. 
Since w-(c) = £, then mj(c) = e and ej can be fired. 

Let k be the total number of processes p's. Since m was non-offending, tick 
actions r in 7T2 occur in blocks of length exactly fc, one for each p. Therefore, the 
sequence of transitions TT2 can be interpreted in a path of S where the processes 
synchronize on r's. 

B.2 Complexity 

Corollary 1 (Complexity). The reachability problem for systems of commu- 
nicating tick automata with test-free polyforest topologies has the same complexity 
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as the reachability problem for counter automata without zero tests ( equivalently, 
Petri nets). 

Proof. The lower bound follows immediately from Theorem 2. For the upper 
bound, we use the same construction as in the proof of Theorem 3. However, 
each component d in that construction was derived as a product of counter 
automata (cf. Theorem 1), which would introduce an exponential blow-up in the 
number of locations. We avoid the blowup by a standard construction replacing 
each location in each process in d by a (1-bounded) counter, and adding a finite 
control to simulate the transitions of d . 

C.3 From counter automata to tick automata 

We formally prove, in this appendix subsection, the simulation of counter au- 
tomata by systems of communicating tick automata with star topology. This 
simulation was presented, informally, in Section 3. We refer the reader to this 
section for the definition of the constructed system of communicating tick au- 
tomata S with star topology T. 

Recall that the set S of global states of S is the cartesian product of its sets of 
local states, i.e., S = Yip^p S P - To simplify notation, global states of S will also 
be denoted by triples (t, u, v) where ie5P,«e U?=i Sq * and v G lYj=i ^ • We 
write for the vector (0, . . . , 0) and 1 for the vector (1, . . . , 1). For every valuation 
v e N XuY , we define the encoding n{v) G (M*) c of v by rj(v)(ci) = wait 1 " 1 * 1 ) 
and r)(v)(dj) = wait^ y A The following lemma shows that every transition in 
[C] can be simulated by a path of [<S]. 

Lemma 1. For every transition (£,v) (£',v') o/[C], there exists a path from 
((£, 0,0), !?(«)) to ((£',0,0), V (v')) m \S\. 

Proof. Consider a transition (£,v) -^-» (£',v') of [C]. To simplify notation, we 
define w = 77(f) and w' — rj(v'). A couple of intermediate states in S*| are 
sometimes needed to decompose paths. We will simply denote them by <>! and 
o 2 . We consider six cases, depending on the counter operation op. 

— Xi++. It holds that v'(xi) = v(xi) + 1 and v'(x) — v(x) for all x € X UY with 
x =/= Xi. Hence, w'(ci) — w(ci) ■ wait and w'(c) = w(c) for all c G C with 
c ^ Ci. By construction, [5] contains the following transition: 

((£,0,0),w)^^((£',0,0),w') 

- yj—. It holds that ^(y^) = v'tyj) + 1 and v'(x) = v(x) for all x E X U Y 
with x 7^ y^. Hence, w(dj) = wait • w'(dj) and w'(c) — w(c) for all c G C 
with c ^ dj . By construction, [<S] contains the following transition: 
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— Xj — . It holds that u(x,) = w'(xj) + 1 and u'(a;) = v(x) for all a; G X U Y 
with a; ^ Xj. Hence, w(cj) = wait • w'(ci) and w'(c) = w(c) for all c G C 
with c 0^. Furthermore, u>(c) G {wait}* for all c G C. By construction, 
[5J contains the following path: 

{{£,0,0),w) — ► — ((oi, 1,0), w') — >• 

(( n 1\ n (d j !wait) 1 < j <„ (d fc ?wait) 1 < fe <„ 

((o 2 ,0,l),u/) > > {{£',0,0),w') 

— It holds that v'(yj) = v(yj) + l and u'(a;) = u(a;) for all x G A" U Y 
with x ^ jj- Hence, w (dj) — w(dj) ■ wait and w'(c) — w(c) for all c G C 
with c ^ dj. Furthermore, w(c) G {wait}* for all c G C. By construction, 
[<SJ contains the following path: 

„ „s s (c ft !wait)i< ft<m (c;?wait)i< i<m T 

0, 0), w) -> — ->■ ((oi, 1, 0),tu) — ■» 

» A „H \ (d fc !wait)!< fc <„ (d fc ?wait) 1 < fc <„ >Mj 

((o 2 ,0, l),w) >■ > ((£' ,0,0), w') 

— Xi==0. It holds that v — v' and u(xj) = t/(xj) = 0. Hence, w = w' and 
w(ci) = w'(ci) = e. By construction, [5] contains the following path: 

((t,o,o), w ) • • ((£' ,o,o)X) 

— yj == 0. It holds that v = v' and v(yj) = v'(Yj) = 0. Hence, w — w' and 
w(dj) = w'(dj) — e. By construction, [5] contains the following path: 

///i „ „n \ dj=e d,!test detest . , 

((£,0,0), W ) -2 ► • -2 > • -2 ► ((/,0,0), W ') 

We get, in all cases, that there is a path from ((£ , 0, 0), w) to 0, 0), w') in 
[51- 

For the reverse direction, we show that paths of [<SJ encoding a single counter 
operation correspond to transitions of [C]. This correspondence is expressed as 
follows. For every s G S and w G (M*) c , we define the decoding 5(s, w) G N Xur 
of (a, w) by 

5(a,u;)(xi) = |w(cj)|„ ait + (s q * mod 2) and 5(s,w)(y j ) = |ty(dj)| walt + s r 

where |u| wa it denotes the number of occurences of wait in a word u G M*. Since 
p is the process controlling the simulation of the counter machine, the decoding 
should remain constant along transitions that do not involve p. It is routinely 
checked that this property holds. 

Remark 4- It holds that S(s,w) — S(s',w') for every transition (s,w) 
(s', w') of [5J such that o^^U {r}. 

Lemma 2. For every operation op G Op(XL)Y) and for every path tt = (s, w) — — > 
(s',w') in [5], (£,S(s,w)) <5(a', «/)) is a transition of ' [C] z/ 
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1. the projection of n on p is the extended transition £ > £' , and 

2. there exists s" £ S such that (s',w') — > (s",\c.s) in [<S]. 

Proof. Consider a counter operation op £ 0p(^ U Y) and a path it = (s, w) — > 
(s',w') in [<SJ. Assume that both conditions of the lemma are satisfied. To 
simplify notation, define v = S(s,w) and v' — S(s',w'). Let us show that 
(£, v) -^-» {£' ,v') is a transition of [CJ. By assumption, A p contains the ex- 
tended transition £ v ^ op \ Since r) is injective, we get that {£, oj>,£') £ A It 
remains to prove that v and v' conform to the semantics of counter automata. 
We consider six cases, depending on the counter operation op. 

— Xi++. The path it may be written as ir — xi • (si,w\) c '' walt > (52,^2) • Xi- 
Since xi an d X2 do not involve p, it holds that v = 5(s,w) — 5(si,wi) and 
S(s 2 ,w 2 ) = 5(s',w') = v'. Hence, w'(xj) = w(xj) + 1 and v'(x) — v(x) for all 
x £ A U Y with x ^ Xi. 

— Yj — . The path 7r may be written as 7r = xi ■ — > (s 2 ,w 2 ) • Xi- 

By proceeding as above, we get that v(yj) — v'(yj) + 1 and v'(x) = v(x) for 
all x £ A UY with x ^ y^. 

— Xi — . The path it may be written as 7r = Xi"( a i> ^i) ~~ ^ ( s 2, w 2 )-X2- Observe 
that S(s 2 ,w 2 )(x) = 5(si,wi)(x) - 1 and S(s 2 ,w 2 )(y) = 5(s 1 ,wi)(y) + 1, 
for all x £ X and y e Y. The projection of xi an d X2 on p have trace 
(c/i!wait)i</ l < TOj / l ^j and (dfc?wait)i<fc< n , respectively. We derive that 

• v'(xi) = S(s 2 , w 2 )(xi) = S(s 1 ,w 1 )(x i ) - 1 = v(xi) - 1. 

• for all x £ X with a; 7^ Xj, w'(a;) = <5(s2, w 2 )(x) — S(si, Wi)(x) — 1 = 

• for all y £ Y, = 5(s 2 ,w 2 )(y) - 1 = 5(ai, iOi)(y) = 

Hence, u(xj) = v'(xi) + 1 and v'(x) — v(x) for all x £ X U Y with x 7^ Xj. 

— yj++- The path 7r may be written as 7r = xi • (si, w\) — ^> (s 2 , W2) - X2- Again, 
<5(«2, 102) (ar) = 5(si,wi)(x)-l and 5 (s 2 ,w 2 ){y) = S(s 1 ,wi)(y) + 1, for allx £ 
A and y £ Y. The projection of xi and %2 on p have trace (c/ ( !wait)i</ l < TO 
and (dfe?wait)i<fe< ni fe^, respectively. By proceeding as above, we get that 
v '(yj) = v (yj) + 1 anc ^ — v i x ) f° r all x £ A U Y with x 7^ y-. 

— Xj==0. The path 7r may be written as ir — \i ' c '' test > (^2,1^2) • 
X2- Note that d(si,wi) = 5(s 2 ,w 2 ). Since Xi an d Xi do not involve p, we 
obtain that v = 5(si,w\) = 5(s 2 ,w 2 ) — v' . Let us show that i>(xj) = 0. 
By assumption, it is possible to reach, from (s',w'), a configuration with 

all channels empty. Therefore, there exists a path (s\, w\) c '' test > (s 2 ,w 2 ) ■ 

£ ■ (s 3 ,u> 3 ) c " test > (34,104) in [<S] such that its last action, c,?test, is 
the matching receive of its first action, cutest. This means that Wi(cj) 
is precisely the sequence of messages received from Cj in ^. Observe that 
the channel Cj remains non-empty in ^. Therefore, ^ does not contain the 
action Cj==£. By construction, this entails that the projection of £ on ^ is 
empty. It follows that = =2. Moreover, since is the receiver of 
Ci and tui(cj) is entirely received in ^, we derive that Wi(cj) = e. Hence, 
u(xi) = <5(si,wi)(xi) = 0. 
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— jj==0. The path tt may be written as tt = \i • (si,wq) > (s2,W2) • 

d ■ ?test 

X2 • (53,^3) — > (84, W4) ■ X3- Note that 8(si,wi) = S(s2,w 2 ) and 

S(s 3 ,w 3 ) — S(s4,W4). Since XijX2 and X3 do not involve p, we obtain that 
v = S(si, w\) = ■ ■ ■ = 5(s4, W4) = v' . Let us show that v(jj) = 0. Obviously, 
it holds that u>i(dj) = u>2(dj) = e. Moreover, since \i does not contain any 
reception from dj, the first message sent to dj in \2 is test, which entails 
that s\ 3 = s T 2 3 = 0. Hence, v(jj) = S(s\, iui)(y-) = 0. 

We obtain, in all cases, that v and v' conform to the semantics of the counter op- 
eration op. Since (£, op, £') £ A, we conclude that (£, v) — ► (£', v') is a transition 
of [CI. 

Proposition 2. There exists a run in [C] if and only if there exists a run in 

Proof. Consider a run p = (£,v) — (£',v') in [CJ. By applying Lemma 1 to 
each transition of p, we obtain a path from ((£, 0, 0), 77(f)) to ((£', 0, 0), i](v')) in 
[<SJ. This path is a run since ((£, 0, 0), r](v)) and ((£', 0, 0), r](v')) are initial and 
final configurations of [5], respectively. 

To prove the converse, pick a run p = (s, w) — *-± (s', w') in [<S]. The projec- 
tion p| p of p on p is a path in AP starting and ending in L. Hence, p\ may be 

written as a concatenation £q , ^° Pi \ g ± . . ■ £ k _ x v ^° Pk \ g k f extended transi- 
tions. It follows that p is a concatenation p = m ■ ■ ■ itu of paths iTi in [<S] such 

that 7Ti| p = , ^° Pl \ £ { for alH G {1, . . . , k}. Since p ends in a configuration 
with all channels empty, each path iti satisfies the two conditions of Lemma 2. We 
obtain, by applying Lemma 2 to each m, a path from (£, S(s, w)) to (£', S(s', w')) 
in [CJ. This path is a run since (£, 5(s, w)) and (£', S(s', w')) are initial and final 
configurations of [C], respectively. 

D Appendix of Section 4 

D.l Proof of the Rescheduling Lemma 

We first restate the Rescheduling Lemma. 

Lemma 2 Let B be a timed automaton, and I C (0, 1) an open interval. Then, 

every run of B (£o,Vo) a °' to > ■■■(£ n ,v n ) can be rescheduled such that integral 
timestamps U 6 N are kept the same, and non-integral timestamps U £ (k,k + l) 
are rescheduled in k + I. 

Let us first introduce notations and preliminary definitions. Let [rj denote 
the integral part ofreM and let {r} denote its fractional part. Two valuations 
v and v' are equivalent 10 , denoted v ~ v', iff for all clocks x and y: 



This is the usual region equivalence [8] with no bound associated to the clocks. 
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1. [v(x)\ = [v'(x)], 

2. {v(x)} = iff {v'(x)} = 0, 

3. {v(x)} < {v(y)} iff {v'(x)} < {v'(y)}. 



The following Lemma is an intermediate result for the proof of the Reschedul- 
ing Lemma. 

Lemma 3. For all non-negative real numbers t, t' and t" such that t > t' , t > t" 
and < {t 1 } < {t"} we have: 

{t-t'}<{t-t"} if {*'}<{*}<{*"} (2) 
{t - 1"} <{t- 1'} if {t} < {i'} or {t"} < {t} (3) 

Proof. First, observe that for non-negative real-numbers t and t': 

H-n = l {t} - {t ' } int}-{t'}>o 

1 1 \l + {t}-{t'} otherwise V ' 

Let us first prove (2). From {t'} < {t"}, we have {t"} < {t'} + 1, hence 
! + {*}-{*"} > {*}-{*'}■ Then sinc e {*'} < {t} < {t"} it comes {t-t'} < {t-t"} 

by (4). 

Now, we turn to the proof of (3). From {t'} < {t"} we deduce {t} - {t 1 } > 
{t} - {£"}■ If {*"} < {*}, from (4) we obtain {t - t"} < {t - t'}. If {t} < {*'}, 
then further deduce that 1 + {t} — {t'} > 1 + {t} — {t"} which also lead to 
{t-t"} < {t-t'} by (4). 



Finally, without loss of generality, we can assume that a run of a timed 
automaton B is an alternating sequence of delays di G M> and actions ai R>o: 

(to,v ) ^ ^ (h,vi) ^ (h,u 2 ) ^ ■■■(£ n ,v n ). We omit the 

timestamps on delays as they are not needed in the sequel. 

We are now ready to prove the Rescheduling Lemma. We show that for every 
open interval / = (a, b) in (0,1), from every run p = (Iq^vq) — i> (£o,ui) * 1,ai > 
(£\,v\) — ^» (li,U2) t2 ' a2 ) ■ ■ ■ (£ n ,v n ) we can build a run p' = (£o,v' ) — l -+ 

(£o, m'i) - 1 > (£i,v[) (£i,u' 2 ) 2 ' 2 > • • • (£ n , v' n ) such that v' — v a , and for all 
i G {1, . . . , n}, if ti € N then t\ — t i} otherwise, t\ G |tij + !■> an d Vi ~ v\ and 
Ui ~ u\. 

Proof. We prove by induction on the length of run p that all t\ can be chosen 
such that Vi ~ v[ and Ui ~ u[ for all i > 0. This is obvious for w an d v' as 
they are equal. Now, we assume that v t ~ w- holds up to some given i > 0, and 
we prove that Uj+i ~ Observe that this entails t^+i ~ v' i+1 as and 

arc obtained from and u' i+1 respectively by resetting the same clocks 
as specified by transition a i+1 . 
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For every clock x, let t x denote the last timestamp before tj+i when clock 
x has been reset. That is, t x is the largest timestamp tj in {to,---,U} such 
that x is reset on the transition aj. In the same way, we define t x relatively 
to t' i+1 . Observe that Ui + \(x) = U + i — t x and u' i+1 (x) = t' i+1 — t x ' for every 
clock x. By induction hypothesis, the lemma holds for t x and t x '. That is: if 
{t x } = (i.e. t x G N) then {t x '} = otherwise {t x '} G /. Observe also that 
{u i+ i(x)} = {u i+ i(y)} entails {t x } = {t y } for all clocks x and y. The same 
holds for u' i+1 , t x ' and t yl . 

As a first step, we prove that [u i+ i(x)\ = lu' i+1 (x)\ for every clock x which 
corresponds to condition 1 of the region equivalence. We prove that this holds for 
any choice of t' i+1 that respects the conditions in the lemma. We have Ui+\{x) = 



[U +1 \ - [t x \ +{U+i}-{t x } and u' t+1 (x) = [t' i+1 \ - [t x '\ +{t' i+l }-{t xl }. The cases 



where {t x } — or {ti+i} = are straightforward. We only detail the case where 
{t x } e (0; 1), which entails {t xl } G / by induction, and t i+1 G (0; 1). We show 
that any choice of {^ +1 } £ I is valid. We have: \ti+i\ — |_* X J — 1 < l u i+i( x )\ < 

L*i+iJ - L^J + 1 and W+iJ - L^'J + a - b < K+iMJ < L*i+iJ - L* X 'J + & - « 

(recall / = (a, &)). Now, since [t t+ i\ = L^+iJj L^J = L* x 'Ji and is the only 
integer between a — b and b — a, it comes [Mi+i(a;)J = L M i+i( x )J- 

In a second step, we prove that conditions 2 and 3 of the region equivalence 
hold. Let A^o, . . . ,Xk C X define a partition of the clocks according to their 
fractional part in the valuation V{. Formally, for each x,y G Xj, {vi(x)} = 
{vi(y)}, for each x e X d and y G {«i(y)} < {^(x)}, and Uj=o^j = 

Observe that and define the same partition of clocks as Vi ~ w^. This 
partition is depicted in Figure 5 to the left. As time elapses from vi and v[, 
the fractional part of clock valuations increases and the ordering of partitions 
changes. Some clocks, say Xo,...,Xj_i have their fractional part increased, 
whereas some others, say Xj . . . ,Xk have their fractional part decreased as they 
have been set back to meanwhile. Assume that the ordering of fractional part 
of the clocks in Ui + i is as depicted in Figure 5 to the right. We now show that 
{^i-l-i} can always be chosen in such a way that u' i+1 has the same ordering 
of the fractional part of the clocks as which will conclude the proof that 

Ui+l ~ u' i+1 . 



Fig. 5: The ring of fractional parts before (left) and after (right) time elapses. 
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We first consider the case when the partition only contains the single set X. 
As all the clocks have the same fractional part, only condition 2 of the region 
equivalence needs to be considered. If {ui + i(x)} = for all clock x, we choose 
{^_l_i} = {t x '} which yields {u' i+1 (x)} — 0. By induction, {^ +1 } satisfies the 
lemma. Conversely, when {ui+i(x)} > for all clock x, choosing {t^ +1 } ^ {t x/ } 
guarantees that {u' i+1 (x)} > too. We need to show that there always exists 
such a solution. From {u i+ i(x)} > 0, we obtain {t i+1 — t x } > 0, hence we 
cannot have {ii+i} = and {t x } = at the same time. If {ti+i} = then 
{t x } > 0, hence {tL_i} = is a solution since {t x '} > by induction hypothesis. 
Conversely, if {ii+i} G (0; 1), then we can choose any G I distinct from 

{t xl } (recall {t x '} = {t y/ } for all clocks x and y). 

Now, we consider a partition Xg, . . . , Xk of the clocks in Vi and v[, with k > 1, 
and the partition Xj,. . . , Xk,X , . ■ ■ , Xj-i in m+i as depicted in Figure 5. Let us 
first focus on the case when {u i+ i(x)} = for x G Xj. As u' i+1 (x) = t' i+1 —t x ', for 
{u' i+1 (x)} = it must be the case that = {t x '}- By induction hypothesis, 

this value of satisfies the lemma. 

Now consider the case where {ui + i(x)} > for x G Xj. As seen on Figure 5 
to the right, we need to make sure that, in valuation u' i+1 , the clocks in Xj have 
the smallest fractional part and the clocks in X,_i have the biggest one. This 
is ensured by condition {u' i+1 (x)} < {u' i+1 (y)} for x G Xj and y G Xj-i, which 
translate as: 

{t' i+1 -t x, }>0 and {t' l+1 -t x '}<{t' l+1 - t y'} (5) 

We distinguish two cases whether {t v '} > {t x '} or {t y '} < {t xl }. Let us consider 
the first case. From Lemma 3 and (5), we need to find a value of such 
that {t xl } < {t' i+1 } < {t y> }. By induction hypothesis we have {t y> } G I and the 
following two cases for {t x '}\ 

— either {t xl } = 0, then {t x } — by induction, hence > as {u i+ i(x)} > 

0. Since {ti+i} G (0; 1) we must choose {^ + i} in /. Taking = ' 

fulfills all the requirements. 

— or {t x '} G /. Then choosing = — — — - yields a solution. 

It remains to consider the case when {t y '} < {t xl }. Applying Lemma 3 on (5) 
yields two sets of solutions: {t' i+1 } < {t y '} or {t x '} < {t' i+1 }. 

— If {U +1 } G (0; 1), then {t' l+1 } = ^'^+ b i s a solution as {t x '} < {f i+1 } and, 
by induction hypothesis, {t x '} G / since {t yl } < {t x '} (i.e. {t x '} ^ 0). 

— Now, if {ii+i} = we have {t v } > 0. Indeed, as y G -Xj-i, wc have 
{u i+ i(y)} = {t i+ i — t y } > and {t y } = entails {ii+i} > 0, a contra- 
diction. By induction hypothesis, from {t y } > we get {t y> } > 0. Hence, we 
can pick = which satisfies {^ +1 } < {t y/ }- 

Finally, it remains the case when the ordering of fractional parts is the same 
in Vi and ttj+i. Then, considering Xj = Xq, and Xj_\ = Xk yields a solution 
for as stated above. 
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D.2 Abstraction of communicating timed automata with emptiness 
tests is difficult 

In this section we discuss why our abstraction (presented in Section 4) does not 
work with emptiness tests and why it seems difficult to find a suitable abstraction 
that preserves the topology. Notice that an abstraction that does not preserve 
the topology is known for the particular case of a channel with distinct sender 
and receiver [18] 

Our construction is not sound for emptiness test We propose the simple example 
in Figure 6. From top to bottom, there are a sender and a receiver, communi- 
cating via a channel c. We can easily verify that there is no global run in this 
system. Indeed, the actions along a global run have to be in the following or- 
der: cla;c?a;c==e;cla. Then the emptiness test cannot be satisfied as c is not 
empty. Hence the receiver cannot reach its final location. On the contrary, the 

0<x<l,c'.a,{x} x=l,c'.a,{x} S 'j^ 
— «D *"0 N§0 



0<y<l,c?o 0<y<l,c — e,{y} y=l,c~e,{y} 0<j/<l,c?a,{y} 'J* 
*0 K) HD K5 «SO 

Fig. 6: A counter-example to our abstraction with emptiness test. 



system of communicating tick automata obtained by applying the construction 
in Section 4 has a global run that reaches the final locations. This system is 
depicted in Figure 7. The global run corresponds to the sequence of actions 
c\a;c?a;c==s;T;c==e;c\a;c?a where both processes synchronize on r. Observe 
that this global run cannot be re-scheduled in the spirit of the Rescheduling 
Lemma. Indeed, both real-time constraints and dependencies between the com- 
munication actions prevent to swap actions c==e;c!a as da;c==e. 




Fig. 7: A counter-example to our abstraction with emptiness test. 
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Why soundness is hard to achieve Our abstraction is based on the possibility to 
define a partition scheduling that allocates one slot per time unit (the interval 
I in the Rescheduling Lemma) to each process in the system. In the previous 
section, we have seen that in presence of emptiness test, one slot per process 
may not be sufficient . We now show that we cannot even find a bound on the 
number of slots per time unit needed by each process. 



0<j/<l,c?6 




Fig. 8: A counter-example to our abstraction with emptiness test. 



Figure 8 shows an example with a sender p (left) and a receiver q (right) 
that communicate via a channel c = (p, q). Consider a global run of the system 
where the sender p performs actions da; elb while the receiver q does actions 
c?a; c==e; c?6. Obviously, q has to perform the emptiness test c==e between 
the two emissions by p. Observe that both processes can iterate this behavior. 
Finally, all these actions occur in one time unit. This shows that the number of 
slots needed by p and q depends on the number of iterations on their respective 
loops. Thus there may not be an uniform choice of slots in presence of emptiness 
tests. 

Notice that this is due to a convergence phenomenon but not necessary to 
Zeno behaviors. Adding loops that reset the clocks on the initial locations of 
both process, we could let one time unit elapse infinitely often, but the problem 
would remain the same. 



